```html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Spring Boot 安全机制深度解析</title>
    <link href="https://cdn.staticfile.org/tailwindcss/2.2.19/tailwind.min.css" rel="stylesheet">
    <link href="https://cdn.staticfile.org/font-awesome/6.4.0/css/all.min.css" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@400;500;600;700&family=Noto+Sans+SC:wght@300;400;500;700&display=swap" rel="stylesheet">
    <script src="https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.min.js"></script>
    <style>
        body {
            font-family: 'Noto Sans SC', Tahoma, Arial, Roboto, "Droid Sans", "Helvetica Neue", "Droid Sans Fallback", "Heiti SC", "Hiragino Sans GB", Simsun, sans-serif;
            color: #333;
            line-height: 1.6;
        }
        h1, h2, h3, h4 {
            font-family: 'Noto Serif SC', serif;
            font-weight: 600;
        }
        .drop-cap::first-letter {
            font-size: 3.5em;
            float: left;
            line-height: 0.9;
            margin: 0.1em 0.2em 0 0;
            color: #4f46e5;
            font-weight: bold;
        }
        .code-block {
            background-color: #2d3748;
            color: #f7fafc;
            border-radius: 0.5rem;
            overflow-x: auto;
        }
        .code-block pre {
            margin: 0;
            padding: 1rem;
            font-family: 'Courier New', Courier, monospace;
        }
        .hover-glow:hover {
            box-shadow: 0 10px 25px -5px rgba(79, 70, 229, 0.3), 0 10px 10px -5px rgba(79, 70, 229, 0.1);
            transform: translateY(-2px);
            transition: all 0.3s ease;
        }
        .gradient-text {
            background-clip: text;
            -webkit-background-clip: text;
            color: transparent;
            background-image: linear-gradient(90deg, #4f46e5, #9333ea);
        }
    </style>
</head>
<body class="bg-gray-50">
    <!-- Hero Section -->
    <section class="relative bg-gradient-to-r from-indigo-900 to-purple-900 text-white py-20 md:py-32 px-4 sm:px-6 lg:px-8">
        <div class="max-w-6xl mx-auto text-center">
            <div class="inline-block px-4 py-1 mb-4 bg-indigo-700 bg-opacity-50 rounded-full text-sm font-medium">
                <i class="fas fa-lock mr-2"></i>安全机制
            </div>
            <h1 class="text-4xl md:text-6xl font-bold mb-6">
                <span class="gradient-text">Spring Boot</span> 安全机制全解析
            </h1>
            <p class="text-xl md:text-2xl max-w-3xl mx-auto opacity-90 mb-8">
                深入探索 Spring Security 的核心机制，构建坚不可摧的应用防护体系
            </p>
            <div class="flex justify-center space-x-4">
                <a href="#authentication" class="px-6 py-3 bg-white text-indigo-900 font-medium rounded-lg hover:bg-opacity-90 transition-all">
                    <i class="fas fa-user-shield mr-2"></i>认证机制
                </a>
                <a href="#authorization" class="px-6 py-3 bg-transparent border-2 border-white text-white font-medium rounded-lg hover:bg-white hover:text-indigo-900 transition-all">
                    <i class="fas fa-key mr-2"></i>授权机制
                </a>
            </div>
        </div>
        <div class="absolute bottom-0 left-0 right-0 h-16 bg-gradient-to-t from-gray-50 to-transparent"></div>
    </section>

    <!-- Main Content -->
    <div class="max-w-4xl mx-auto px-4 sm:px-6 lg:px-8 py-12">
        <!-- Introduction -->
        <section class="mb-16">
            <p class="drop-cap text-lg md:text-xl text-gray-700 mb-8">
                Spring Boot 提供了强大的安全机制，确保应用程序在不同场景下的安全性。其安全机制的实现主要依赖于 Spring Security，这是一个全面且功能强大的安全框架。Spring Boot 对 Spring Security 进行了自动配置，简化了常见的安全需求，例如认证、授权、跨站请求伪造 (CSRF)、跨域资源共享 (CORS) 等问题的处理。
            </p>
        </section>

        <!-- Section 1: Auto Configuration -->
        <section class="mb-16">
            <div class="flex items-center mb-6">
                <div class="w-10 h-10 rounded-full bg-indigo-100 flex items-center justify-center mr-4">
                    <span class="text-indigo-600 font-bold">1</span>
                </div>
                <h2 id="auto-config" class="text-2xl md:text-3xl font-bold text-gray-800">Spring Boot 的安全机制自动配置</h2>
            </div>
            
            <div class="bg-white rounded-xl shadow-md overflow-hidden hover-glow mb-8">
                <div class="p-5 border-b border-gray-200 bg-gray-50">
                    <div class="flex items-center">
                        <div class="w-3 h-3 rounded-full bg-red-500 mr-2"></div>
                        <div class="w-3 h-3 rounded-full bg-yellow-500 mr-2"></div>
                        <div class="w-3 h-3 rounded-full bg-green-500"></div>
                    </div>
                </div>
                <div class="code-block">
                    <pre><code class="language-java">@Configuration
@ConditionalOnClass(SecurityConfigurerAdapter.class)
@EnableConfigurationProperties(SecurityProperties.class)
@AutoConfigureBefore(DataSourceAutoConfiguration.class)
public class SpringSecurityAutoConfiguration {
    
    @Bean
    @ConditionalOnMissingBean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // 默认的 HTTP 安全配置
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
            .and()
            .logout()
                .permitAll();
        return http.build();
    }
}</code></pre>
                </div>
            </div>
            
            <div class="prose prose-indigo max-w-none">
                <p>在该类中，<code>SecurityFilterChain</code> 用来配置 HTTP 安全策略，例如哪些请求需要认证，哪些请求可以匿名访问，登录页面和注销功能等。Spring Boot 通过 <code>@ConditionalOnClass</code> 确保只有在存在 <code>SecurityConfigurerAdapter</code> 类时，才会启用自动配置。<code>@AutoConfigureBefore(DataSourceAutoConfiguration.class)</code> 注解保证 Spring Security 会在数据源配置之前进行初始化。</p>
            </div>
        </section>

        <!-- Section 2: Authentication -->
        <section class="mb-16">
            <div class="flex items-center mb-6">
                <div class="w-10 h-10 rounded-full bg-indigo-100 flex items-center justify-center mr-4">
                    <span class="text-indigo-600 font-bold">2</span>
                </div>
                <h2 id="authentication" class="text-2xl md:text-3xl font-bold text-gray-800">认证机制</h2>
            </div>
            <div class="prose prose-indigo max-w-none mb-8">
                <p>Spring Security 提供了多种认证方式，包括基于表单的认证、HTTP Basic 认证、OAuth2 认证等。Spring Boot 默认启用基于表单的认证机制，并提供了一些配置选项以简化其配置。</p>
            </div>
            
            <div class="grid md:grid-cols-2 gap-6 mb-8">
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-sign-in-alt mr-2"></i>表单认证配置</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">http.formLogin()
    .loginPage("/login")  // 指定自定义登录页面
    .permitAll();         // 允许所有用户访问</code></pre>
                    </div>
                    <p class="text-gray-700">当用户访问受保护资源时，Spring Boot 会自动重定向到登录页面。登录成功后，Spring Security 会根据用户角色决定是否允许访问相应资源。</p>
                </div>
                
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-users mr-2"></i>用户认证的实现</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">@Bean
public UserDetailsService userDetailsService() {
    UserDetails user = User.withUsername("user")
                           .password("{noop}password")
                           .roles("USER")
                           .build();
    return new InMemoryUserDetailsManager(user);
}</code></pre>
                    </div>
                    <p class="text-gray-700"><code>{noop}</code> 表示密码不做加密处理。在生产环境中，密码应当进行加密存储。Spring Security 支持多种加密算法，如 bcrypt、PBKDF2 等。</p>
                </div>
            </div>
            
            <!-- Visualization -->
            <div class="bg-white p-6 rounded-xl shadow-md mb-8">
                <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-project-diagram mr-2"></i>认证流程可视化</h3>
                <div class="mermaid">
                    graph TD
                        A[客户端请求] --> B{是否认证?}
                        B -- 已认证 --> C[访问资源]
                        B -- 未认证 --> D[重定向到登录页]
                        D --> E[提交凭证]
                        E --> F{验证成功?}
                        F -- 成功 --> C
                        F -- 失败 --> G[返回错误]
                </div>
            </div>
        </section>

        <!-- Section 3: Authorization -->
        <section class="mb-16">
            <div class="flex items-center mb-6">
                <div class="w-10 h-10 rounded-full bg-indigo-100 flex items-center justify-center mr-4">
                    <span class="text-indigo-600 font-bold">3</span>
                </div>
                <h2 id="authorization" class="text-2xl md:text-3xl font-bold text-gray-800">授权机制</h2>
            </div>
            <div class="prose prose-indigo max-w-none mb-8">
                <p>授权是指在认证后，判断用户是否有权限访问某些资源。在 Spring Security 中，授权机制通过 <code>@PreAuthorize</code>、<code>@Secured</code> 注解，或者通过 HTTP 安全配置中的 <code>authorizeRequests()</code> 方法进行配置。</p>
            </div>
            
            <div class="grid md:grid-cols-2 gap-6 mb-8">
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-user-tag mr-2"></i>基于角色的授权</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">http.authorizeRequests()
    .antMatchers("/admin/**").hasRole("ADMIN")
    .antMatchers("/user/**").hasAnyRole("USER", "ADMIN")
    .anyRequest().authenticated();</code></pre>
                    </div>
                    <p class="text-gray-700">在上面的代码中，<code>/admin/**</code> 路径只允许具有 <code>ADMIN</code> 角色的用户访问，而 <code>/user/**</code> 路径可以被 <code>USER</code> 或 <code>ADMIN</code> 角色的用户访问。</p>
                </div>
                
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-code mr-2"></i>基于方法的授权</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">@PreAuthorize("hasRole('ADMIN')")
public void deleteUser() {
    // 删除用户的逻辑
}</code></pre>
                    </div>
                    <p class="text-gray-700">在上面的例子中，只有 <code>ADMIN</code> 角色的用户才能调用 <code>deleteUser()</code> 方法。</p>
                </div>
            </div>
            
            <!-- Visualization -->
            <div class="bg-white p-6 rounded-xl shadow-md">
                <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-sitemap mr-2"></i>授权层次结构</h3>
                <div class="mermaid">
                    graph LR
                        A[用户] --> B{角色}
                        B --> C[ADMIN] --> D[所有权限]
                        B --> E[USER] --> F[有限权限]
                        B --> G[GUEST] --> H[只读权限]
                </div>
            </div>
        </section>

        <!-- Section 4: CSRF -->
        <section class="mb-16">
            <div class="flex items-center mb-6">
                <div class="w-10 h-10 rounded-full bg-indigo-100 flex items-center justify-center mr-4">
                    <span class="text-indigo-600 font-bold">4</span>
                </div>
                <h2 class="text-2xl md:text-3xl font-bold text-gray-800">跨站请求伪造 (CSRF) 防护</h2>
            </div>
            <div class="prose prose-indigo max-w-none mb-8">
                <p>CSRF 攻击是指攻击者诱导用户执行非本意的请求。Spring Security 默认启用 CSRF 防护。Spring Boot 自动配置会为所有的 POST 请求添加 CSRF token，确保请求的合法性。</p>
            </div>
            
            <div class="grid md:grid-cols-2 gap-6">
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-ban mr-2"></i>禁用 CSRF 防护</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">http.csrf().disable();</code></pre>
                    </div>
                    <p class="text-gray-700">在某些场景下，比如开发 RESTful API，可能需要禁用 CSRF 防护。</p>
                </div>
                
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-check-circle mr-2"></i>启用 CSRF 防护</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">// 默认已启用，无需额外配置</code></pre>
                    </div>
                    <p class="text-gray-700">如果需要启用 CSRF 防护，Spring Boot 默认会启用该功能，开发者无需做任何额外配置。Spring Security 会自动处理 CSRF Token 的生成和验证。</p>
                </div>
            </div>
        </section>

        <!-- Section 5: CORS -->
        <section class="mb-16">
            <div class="flex items-center mb-6">
                <div class="w-10 h-10 rounded-full bg-indigo-100 flex items-center justify-center mr-4">
                    <span class="text-indigo-600 font-bold">5</span>
                </div>
                <h2 class="text-2xl md:text-3xl font-bold text-gray-800">跨域资源共享 (CORS) 支持</h2>
            </div>
            <div class="prose prose-indigo max-w-none mb-8">
                <p>CORS 是一种机制，允许浏览器访问跨域的资源。Spring Boot 提供了集成 CORS 支持的方式，可以通过 <code>@CrossOrigin</code> 注解或全局 CORS 配置来进行设置。</p>
            </div>
            
            <div class="grid md:grid-cols-2 gap-6">
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-globe mr-2"></i>全局 CORS 配置</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("http://example.com")
                .allowedMethods("GET", "POST", "PUT", "DELETE");
    }
}</code></pre>
                    </div>
                </div>
                
                <div class="bg-white p-6 rounded-lg shadow-md hover-glow">
                    <h3 class="text-xl font-bold mb-4 text-indigo-700"><i class="fas fa-code mr-2"></i>局部 CORS 配置</h3>
                    <div class="code-block mb-4">
                        <pre><code class="language-java">@CrossOrigin(origins = "http://example.com")
@RequestMapping("/api")
public String getApiData() {
    return "API data";
}</code></pre>
                    </div>
                </div>
            </div>
        </section>

        <!-- Summary Card -->
        <section class="mb-16">
            <div class="bg-gradient-to-r from-indigo-50 to-purple-50 rounded-xl p-8 shadow-md">
                <h2 class="text-2xl md:text-3xl font-bold text-indigo-800 mb-6 text-center"><i class="fas fa-star mr-2"></i>Spring Security 核心要点</h2>
                <div class="grid md:grid-cols-3 gap-6">
                    <div class="bg-white p-5 rounded-lg shadow-sm">
                        <div class="w-12 h-12 bg-indigo-100 rounded-full flex items-center justify-center mb-4 mx-auto">
                            <i class="fas fa-user-shield text-indigo-600 text-xl"></i>
                        </div>
                        <h3 class="text-lg font-semibold text-center mb-2">认证机制</h3>
                        <p class="text-gray-600 text-sm text-center">多种认证方式集成，包括表单、HTTP Basic、OAuth2等</p>
                    </div>
                    <div class="bg-white p-5 rounded-lg shadow-sm">
                        <div class="w-12 h-12 bg-indigo-100 rounded-full flex items-center justify-center mb-4 mx-auto">
                            <i class="fas fa-key text-indigo-600 text-xl"></i>
                        </div>
                        <h3 class="text-lg font-semibold text-center mb-2">授权机制</h3>
                        <p class="text-gray-600 text-sm text-center">基于角色和方法的精细权限控制</p>
                    </div>
                    <div class="bg-white p-5 rounded-lg shadow-sm">
                        <div class="w-12 h-12 bg-indigo-100 rounded-full flex items-center justify-center mb-4 mx-auto">
                            <i class="fas fa-shield-alt text-indigo-600 text-xl"></i>
                        </div>
                        <h3 class="text-lg font-semibold text-center mb-2">安全防护</h3>
                        <p class="text-gray-600 text-sm text-center">CSRF、CORS等Web安全威胁防护</p>
                    </div>
                </div>
            </div>
        </section>
    </div>

    <!-- Footer -->
    <footer class="bg-gray-900 text-gray-300 py-12">
        <div class="max-w-6xl mx-auto px-4 sm:px-6 lg:px-8">
            <div class="flex flex-col items-center">
                <div class="text-2xl font-bold mb-4 text-white">技术小馆</div>
                <a href="http://www.yuque.com/jtostring" class="text-indigo-400 hover:text-indigo-300 transition-colors">
                    <i class="fas fa-external-link-alt mr-2"></i>http://www.yuque.com/jtostring
                </a>
            </div>
        </div>
    </footer>

    <script>
        mermaid.initialize({
            startOnLoad: true,
            theme: 'default',
            flowchart: {
                useMaxWidth: false,
                htmlLabels: true,
                curve: 'basis'
            }
        });
        
        // Smooth scrolling for anchor links
        document.querySelectorAll('a[href^="#"]').forEach(anchor => {
            anchor.addEventListener('click', function (e) {
                e.preventDefault();
                document.querySelector(this.getAttribute('href')).scrollIntoView({
                    behavior: 'smooth'
                });
            });
        });
    </script>
</body>
</html>
```